General

  • Target

    c36fbe6dd8f9632176f3927fca2c2e674a5929d33e7d245f1053bf69ec2b11a9

  • Size

    379KB

  • Sample

    240909-vb1h3sygjm

  • MD5

    95b628b19f244451d5f69a864e24b260

  • SHA1

    a478f681098713f959d89361c09c14d02552e6ed

  • SHA256

    c36fbe6dd8f9632176f3927fca2c2e674a5929d33e7d245f1053bf69ec2b11a9

  • SHA512

    f2755be22ecdb5aa22ac741fd4bb4d1f1fded762106dd04e6926771ba2ceb19414228fab882b609504ece92583084634ff10b1febdcecd26ac70ac40a1aa7caa

  • SSDEEP

    3072:V8XBk++uc5jv/MfYABOMHfa80LxDtamgthsGiOTBILGvmYX0ZSZn0YTwsu9f:mBknHMfYAB1aLLMhsdOdILGmM92f

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      c36fbe6dd8f9632176f3927fca2c2e674a5929d33e7d245f1053bf69ec2b11a9

    • Size

      379KB

    • MD5

      95b628b19f244451d5f69a864e24b260

    • SHA1

      a478f681098713f959d89361c09c14d02552e6ed

    • SHA256

      c36fbe6dd8f9632176f3927fca2c2e674a5929d33e7d245f1053bf69ec2b11a9

    • SHA512

      f2755be22ecdb5aa22ac741fd4bb4d1f1fded762106dd04e6926771ba2ceb19414228fab882b609504ece92583084634ff10b1febdcecd26ac70ac40a1aa7caa

    • SSDEEP

      3072:V8XBk++uc5jv/MfYABOMHfa80LxDtamgthsGiOTBILGvmYX0ZSZn0YTwsu9f:mBknHMfYAB1aLLMhsdOdILGmM92f

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks